Putting Coders' Security Chops to the Test

So you think your dev team understands how to build secure software? Care to put them to the test? The SANS Institute is preparing to make that possible.

This summer the Washington, D.C.-based computer-security research and education organization will launch a new series of assessment and certification exams designed specifically to test programmers' secure coding skills.

"There isn't a person in the software business who, at one time or another, hasn't exclaimed, 'When are they going to learn not to put buffer overflows in their code!'" says Alan Paller, director of research for SANS, which stands for sysadmin, audit, network and security. "This program will do the one thing that will drive secure coding into the enterprise: It gives employers the ability to reliably assess the skills of their employees."

The SANS program consists of four examinations, each covering a different programming language suite: C/C++, Java/J2EE, Perl/PHP and .NET/ASP. The exams are designed to measure technical proficiency and expertise in identifying and correcting the common programming errors that lead to security vulnerabilities. Programmers -- or anyone else interested -- will be able to take the exams online to test their skills unofficially, or in a proctored setting to receive the GIAC Secure Software Programmer (GSSP) certification.

"The original plan was just to provide an assessment tool," Paller says. But a request from the U.S. Defense Department led the organization to add the certification option to the program.

The first exams are scheduled to be administered in August in Washington, D.C., on a pilot basis; the company plans to roll out the program worldwide through the remainder of 2007.

Backed by Broad Coalition
SANS was established in 1989 as a cooperative research and education organization. Today it's known as a provider of intensive, immersion training courses in computer security. SANS also operates the Internet Storm Center (isc.sans.org) early warning system.

Some marquee names in the information technology business, as well as government agencies and financial organizations, have pitched in to help develop the SANS coding exams for programmers. Among its supporters are Symantec Corp., Juniper Networks Inc., Siemens AG and Fortify Software Inc.

Brian Chess, co-founder and chief scientist at Palo Alto, Calif.-based Fortify, sees the SANS exams as an important step in the right direction. "It's really the developers, not the security team, that we have to rely on to get security right," Chess says. "Fortify's approach has been to arm developers with tools so they can get feedback about the mistakes they're making in their code as they're coding, and way before the product goes out the door. But I'm a strong advocate of educating programmers. In fact, in order for someone to be able to make good use of tools like ours, they really need to understand what security is all about."

Expert Sees Limitations
Security expert Gary McGraw is CTO of Cigital Inc. and author of numerous books on software security, including "Software Security: Building Security In" (Addison-Wesley Professional, January 23, 2006). McGraw has preached for years that better attention to security in software development will yield fewer threats. But he doubts a multiple-choice test can really measure a coder's knowledge of software security.

"I cannot think of any way to test for this stuff with multiple choice that doesn't rely on a bug-parade approach," McGraw says. "On the other hand, there are an awful lot of programmers out there, and if this exam program helps them to be more aware of software security problems because their boss makes them takes the test, that's great," he says.

Paller says SANS' underlying goal is actually to influence computer science educators. "We hope that, if they see that the security skills of their graduates are going to be measured by their bosses, they will begin to embed this in all of their programming courses. We want to make sure that when you learn to code, you learn it with security baked in."

On this point, McGraw agrees. "Application security is a very serious business today, and we need to teach coders about building secure software while we're teaching them to code," he says. "I'd like to see this stuff become part of a real computer science curriculum, not some certification program."

"I think Gary's concern is valid," Chess says. "But I don't think the test is the main value here. More valuable, I think, is what you have to do to get ready for the test. That involves paying attention to software security, and that's the No. 1 thing I want programmers to do. I want them to think about the different ways that software security might impact their work."